Security Plan Formal Review Report#
Persistency Security Plan Formal Review
|
status: valid
security: YES
safety: ASIL_B
|
||||
1. Purpose
The purpose of this security plan formal review checklist is to report status of the review for the security plan.
2. Checklist
Id |
Security plan activity |
Compliant to ISO SAE 21434? |
Comment |
|---|---|---|---|
1 |
Is the rationale for the security work products tailoring included? |
[YES | NO ] |
<Rationale for result> |
2 |
Is impact analysis planned in case of re-use of SW (needed for every release following the first formal release)? |
[YES | NO ] |
<Rationale for result> |
3 |
Does the security plan define all needed activities for security management (incl. Review and Security Audit)? |
[YES | NO ] |
<Rationale for result> |
4 |
Does the security plan define all needed activities for SW development, integration and verification? |
[YES | NO ] |
<Rationale for result> |
5 |
Does the security plan define all needed activities for security analysis? |
[YES | NO ] |
<Rationale for result> |
6 |
Does the security plan define all needed activities for supporting processes (incl. tool mgt)? |
[YES | NO ] |
<Rationale for result> |
7 |
Does the security plan document a responsible for all activities? |
[YES | NO ] |
<Rationale for result> |
8 |
If Off-the-shelf (e.g. existing OSS) software components is used, is it planned to be analysed? |
[YES | NO ] |
<Rationale for result> |
9 |
Is a security manager and a project lead appointed for the project? |
[YES | NO ] |
<Rationale for result> |
10 |
Is security plan sufficiently linked to the project plan? |
[YES | NO ] |
<Rationale for result> |
11 |
Is security plan updated iteratively to show the progress? |
[YES | NO ] |
<Rationale for result> |
12 |
If Out-of-context software components is used, are the assumptions documented? |
[YES | NO ] |
<Rationale for result> |
13 |
Does the security plan define all needed activities for SBOM generation? |
[YES | NO ] |
<Rationale for result> |
14 |
Does the security plan define regular vulnerability scans for the generated SBOM? |
[YES | NO ] |
<Rationale for result> |
Note
Off-the-shelf means existing software which may used w/o modification, e.g. existing OSS